US10567379B2ActiveUtilityA1

Network switch port access control and information security

51
Assignee: BANK OF AMERICAPriority: Jun 26, 2017Filed: Jun 26, 2017Granted: Feb 18, 2020
Est. expiryJun 26, 2037(~11 yrs left)· nominal 20-yr term from priority
H04L 63/1433H04L 63/0236H04L 49/3009H04L 63/108H04L 63/08H04L 69/40H04L 63/162H04L 63/0227H04L 63/0876H04L 45/745
51
PatentIndex Score
0
Cited by
34
References
13
Claims

Abstract

A system that includes a switch, a network authentication server (NAS), and a threat management server. The NAS sends a device identifier for an endpoint device to the threat management server in response to the endpoint device connecting to a port on the switch. The threat management server determines the endpoint device is present in a blacklist based on the device identifier in response to receiving the device identifier. The threat management server determines the endpoint device is blocked from one or more second ports on the switch. The threat management server blocks the endpoint device from accessing the network via the first port on the switch in response to determining the endpoint device is blocked from the one or more other ports on the switch.

Claims

exact text as granted — not AI-modified
The invention claimed is: 
     
       1. A threat management server comprising:
 a memory configured to store:
 a blacklist identifying:
 one or more endpoint devices blocked from accessing a network; 
 block timeout periods indicating an amount of time each of the one or more endpoint devices is blocked from a switch; and 
 ports each of the one or more endpoint devices have been blocked from; 
 
 
 a threat management engine implemented by a processor configured to:
 receive a device identifier for an endpoint device in response to the endpoint device changing its connection to the switch from a first port on the switch to a second port on the switch; 
 determine the endpoint device is present in the blacklist based on the device identifier in response to receiving the device identifier; 
 determine the endpoint device is blocked from the first port on the switch based on information in the blacklist; 
 block the endpoint device from accessing the network via the second port on the switch in response to determining the endpoint device is blocked from the first port on the switch; and 
 increase a block timeout period associated with the endpoint device in response to blocking the endpoint device. 
 
 
     
     
       2. The device of  claim 1 , wherein:
 blocking the endpoint device from accessing the network comprises sending a blackhole command to the switch identifying the endpoint device; and 
 the blackhole command triggers the switch to transform the destination of traffic associated with the endpoint device to a null destination in response to receiving the blackhole command. 
 
     
     
       3. The device of  claim 1 , wherein:
 blocking the endpoint device from accessing the network comprises sending a blackhole command to the switch identifying the endpoint device; and 
 the blackhole command triggers the switch to discard traffic associated with the endpoint device in response to receiving the blackhole command. 
 
     
     
       4. The device of  claim 1 , wherein:
 blocking the endpoint device from accessing the network comprises sending a disable command to the switch identifying the endpoint device; and 
 the disable command triggers the switch to disable the port the endpoint device is connected to in response to receiving the disable command. 
 
     
     
       5. The device of  claim 1 , wherein the threat management engine is configured to send an alert identifying the endpoint device in response to blocking the endpoint device from accessing the network. 
     
     
       6. The device of  claim 1 , wherein the threat management engine is configured to capture device information for the endpoint device in response to blocking the endpoint device from accessing the network. 
     
     
       7. The device of  claim 1 , wherein determining the endpoint device is blocked from the first port on the switch comprises determining that the endpoint device was blocked from the first port within a predetermined time period. 
     
     
       8. An information security method comprising:
 receiving, by a threat management server, a device identifier for an endpoint device in response to the endpoint device changing its connection to a switch from a first port on the switch to a second port on the switch; 
 determining, by the threat management server, the endpoint device is present in a blacklist based on the device identifier in response to receiving the endpoint device identifier, wherein the blacklist identifies:
 one or more endpoint devices blocked from accessing a network; 
 block timeout periods indicating an amount of time each of the one or more endpoint devices is blocked from the switch; and 
 ports on the switch each of the one or more endpoint devices have been blocked from; 
 
 determining, by the threat management server, the endpoint device is blocked from the first port on the switch based on information in the blacklist; 
 blocking, by the threat management server, the endpoint device from accessing the network via the second port on the switch in response to determining the endpoint device is blocked from the first port on the switch; and 
 increasing, by the threat management server, a block timeout period associated with the endpoint device in response to blocking the endpoint device. 
 
     
     
       9. The method of  claim 8 , wherein:
 blocking the endpoint device from accessing the network comprises sending a blackhole command to the switch identifying the endpoint device; and 
 the blackhole command triggers the switch to transform the destination of traffic associated with the endpoint device to a null destination in response to receiving the blackhole command. 
 
     
     
       10. The method of  claim 8 , wherein:
 blocking the endpoint device from accessing the network comprises sending a blackhole command to the switch identifying the endpoint device; and 
 the blackhole command triggers the switch to discard traffic associated with the endpoint device in response to receiving the blackhole command. 
 
     
     
       11. The method of  claim 8 , wherein:
 blocking the endpoint device from accessing the network comprises sending a disable command to the switch identifying the endpoint device; and 
 the disable command triggers the switch to disable the port the endpoint device is connected to in response to receiving the disable command. 
 
     
     
       12. The method of  claim 8 , further comprising sending, by the threat management server, an alert identifying the endpoint device in response to blocking the endpoint device from accessing the network. 
     
     
       13. The method of  claim 8 , further comprising capturing, by the threat management server, device information for the endpoint device in response to blocking the endpoint device from accessing the network.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.